Troubleshooting DNSSEC Visually

Transcription

1 Troubleshooting DNSSEC Visually Sandia National Laboratories is a multi-program laboratory operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin company, for the U.S. Department of Energy s National Nuclear Security Administration under contract DE-AC04-94AL85000.!

2 Outline Motivation Visualizing DNSSEC Future Work

3 Outline Motivation Visualizing DNSSEC Future Work

4 dig ; <<>> DiG P3 <<>> ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ; IN A ;; ANSWER SECTION: IN CNAME sahp1305.sandia.gov. sahp1305.sandia.gov IN A ;; AUTHORITY SECTION: sandia.gov IN NS NS1.CA.sandia.gov. sandia.gov IN NS NS9.sandia.gov. sandia.gov IN NS NS2.CA.sandia.gov. sandia.gov IN NS NS8.sandia.gov. ;; ADDITIONAL SECTION: NS8.sandia.gov IN A NS9.sandia.gov IN A ;; Query time: 4 msec ;; SERVER: #5353( ) ;; WHEN: Mon Apr 26 12:04: ;; MSG SIZE rcvd: 178 DNS Query and Response

5 DNSSEC Query and Response dig +dnssec ; <<>> DiG P3 <<>> +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ; IN A ;; ANSWER SECTION: IN CNAME sahp1305.sandia.gov IN RRSIG CNAME sandia.gov. abcbrkcgw4ejj +HFrxuR/oxygP30Vurs20Aej/F1Bu4ahHsvYNuWVJ94 21hKS8YIu/xbX2UJRrLq390d8OT2vQF9wkVl8IVMViLGdxp1fVTzES+6 XtMHvEMxavuGv9fkHk3Kyt5RNrWwJ1ZquhdsTfzJwTpS9f6u7K5B24Au MOHRI5FscQhy85dfMMCOYn7Xa0mqaM8mgy1k88xy8zSFQ/ htitmgn6hm bd2p/nlynxmxxnjbliqpe9nzupfjk4jbqvjseakphoj+k66cfbn/glyj B3i5wjbHgXSS3XmkBlrTGjpTVRgnj7ARgMNOEV4pj6WHUHkM3k2TF/SK oiry7g== sahp1305.sandia.gov IN A sahp1305.sandia.gov IN RRSIG A sandia.gov. nk85tnprsqaprqyj8kue0km/9mvbcjd0j5xivjtpn0odmcnqec/pypi7 2HyXGJ1MItuQLLP7yDGRubrbFwljkX9DCRvrK1xSGmj +CH2zrFrs30cu te+w24iuak3rdl6nvvpz0pcpjusbphja0g4vmiphbkafyosll7q101jd Ot8Z5FAaEWxCc0rtkKKA3NlmQ64S2RdEYCV1PRO1fvumiCzLE/oJ/vNN nthmmw8f14zv73jxnyuezaklcz5dl3lkyhhbxff0q2z62wr637knh52o 8Gow1gvlQztFDrzAfbYLnd+UGxlGh0/ vaxnrop5jvc1wkk3mjonnhzbk E5pO6Q== 7yYXSg==

6 What happens if something goes wrong? dig +dnssec ; <<>> DiG P3 <<>> +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ; IN A ;; Query time: 1085 msec ;; SERVER: #5353( ) ;; WHEN: Mon Apr 26 13:56: ;; MSG SIZE rcvd: 45

7 Manual Troubleshooting (dig) dig ;; ANSWER SECTION: IN A IN RRSIG A medicare.gov. T1/xOmA+nNEpIcS73wF3iB7+fr/ gqhk8hxvl6cnx90juhn3lwub5snwp OWoIC6eBxbjha1+492SQ4VDQYA8wwmlIF9MFRLrrboo25KUsbJfk0The 440l9heY2Wxm74HXBsJclQEbKvNumx6fRPzmad4jK3RjzLzp4barn282 mma= By signature analysis: casey@rome:~$ dig +dnssec medicare.gov dnskey ;; ANSWER SECTION: ZSK id = medicare.gov IN DNSKEY AwEAAcpyc4bhl2jawsXT73t7SzS2QOx6UoOus+cQh7fasvvJ0DZdqrfn KSK id = GeW8YqUtBudvA0phC/ micbkajtecxatopay1zzivicbvf/1f0vay7kjx LDUGIti8DVCksyRoCakgDQsacBcMW6d+0S5CE4lyQm3zoOoIHIsEq8qT Bo81wMO5 DS key tag = medicare.gov IN DNSKEY AwEAAchzoM8KoxpaUTT5Z8jztyH9ETXDT29XS/hjfNgeEWsihRimMok2 k0gvyody1yysfmnzw8nin/pg82bat+s1wptkfgbx8ssc68ufitvfnnxo NK2t0Q2qk87s3cZ/HFJIaAEGGXG0/h8VhZ/DfSQqGQEuAGEfyxhcqj7F => DS references DNSKEY which does ULFVKd7GGBInXIGD3LrtgfaGkUBV2XjG9XH2leSxvXvk29ovNdrLYjWs UFPBzYlQseNBvDYYa8pA99/yYCr1ThGVBl+uRPRcfPhYOEXZ2m9geH9B not exist 82hGflr1xkmKiLjejop10gR0pJW2qVMEG9QZQW0nHEbWEeNO1NA7omtX 0b3ZZq6Jfc0= medicare.gov IN RRSIG DNSKEY medicare.gov. xu/y+q7swm +sjcn9upiz7vuujz03yxx+m2ji89qqmjzse2ehxbnmqazh axlpiwhwftrtptwzcjwo/dfuk7mnkcegc/4l9xogetkcl/lnlaseep2j 3RJPsmFXFLOPGvY2v2Vnik45qJweNmZYse083ouOurAUpCXwpJVUzRa/ plmtt6rdzkm4ht3oc4qtezmakdku/qeicpapqpz0g2g1z8lr86vz+lcp V3tw4TT5Pf92wdRTXzvUG+ZonfyYhD4jNgFKhm6hVreHJmon6hPWo4lK N1HJIZSbV7KDV5GJo5CHFNxYLRmJtfg8YxV4NXqSmOSy8EDgOao1lYbK co+9pa== medicare.gov IN RRSIG DNSKEY medicare.gov. LRmOwpQoqE5ScCDHHkILhPoxBJaMeV0BYMx8M7lXw96F9oI9ub6MWz+u MZkXmyfkld5UKidKQGU1tqLJgIZhOwztRBgYXfTpL7WHP9N0LcfIcs+a n8pyzdup0qeucrahnde7rar3ect6rcjyjswelp+96oabzhquigael6zx 4gs= casey@rome:~$ dig medicare.gov ds ;; ANSWER SECTION: medicare.gov IN DS B998973DAA4C783A7A24B6FC19251FB0CC8064D medicare.gov IN DS FE4FFF98AD71863FC64751C9B3A0D2B2A73622A84DB19E3A08E CDC912F1 medicare.gov IN RRSIG DS gov. Jz14rLZ7r2IaOJHLxDqmIBRvYCH5lPUVh +4kKZit9Rv7wn9oLkcgTXQA rp46sa0l2fzrec6fuedz6sixkkufteq8talbnikpud00yamyydupvg0e YLwPU0XIG4J5axly1FRu1mJ7843ej/ FmmnEfqOq55jzf3Oc+hW18KTFB XpA=

8 DNSKEY Roles DNSKEY roles: ZSK (zone signing key) signs zone data KSK (key signing key) signs only DNSKEY RRset SEP (secure entry point) Typically associated with KSK Resolver must ignore SEP flag Revoked Revoke bit set and self-signed DNSKEY roles don t necessarily follow attributes SEP KSK ZSK Zone data

9 More Automated Methods Other techniques dig +sigchase drill -S Methods are textual, more catered toward advanced users

10 Outline Motivation Visualizing DNSSEC Future Work

11 DNSSEC Visualization A picture is worth one thousand DNS queries. - Loosely adapted from a quote attributed to Chinese proverb

12 Visualization Components Domain name DNSKEY/DS RR DNSKEY attributes SEP Revoke Published Missing Trust anchor NSEC proving non-existence of DS RRs (insecure delegation) Missing

13 Alias dependency Visualization Components Valid Bogus Expired Missing Signature or digest Secure Bogus Insecure Misconfigured Delegation Proof of insecure delegation Sufficient Insufficient

14 The Bottom Line Is there a valid chain of trust from a trust anchor to a node? Secure Bogus Insecure Has the existence of DS RRs been effectively repudiated for insecure delegations?

15 Revisiting medicare.gov: DS RRs exist, but don t match any DNSKEY RR

16 Selective DNSSEC algorithm support (e.g., BIND < 9.6) now insecure instead of bogus

17 Configurable trust anchors and ISC DLV support now secure instead of bogus

18 Linked to root zone, as well as ISC DLV Single DNSKEY, functioning as ZSK, KSK, and SEP

19 Single DNSKEY, functioning as ZSK, KSK, and SEP

20 Both ZSK and KSK function as SEPs, each correspond to a DS (DLV) RR

21 Some authoritative servers missing signatures

22 Multiple signatures across severs; one bogus

23 Multiple signatures across severs; one expired

24 Revoked DNSKEY: revoke bit set and self-signed

25 Expired signature: invalidates NSEC RR covering DS RR, resulting in bogus validation below in the hierarchy

26 Expired signatures in island of security: no effect on security of names

27 Missing signatures

28 Bad KSK rollover; DNSKEY matched with DS/DLV having previous key tag; invalid DNSKEY revocation (missing self-signature)

29 Dependency complexities

30 Server status Consistency DNSKEY RRset Signature Serial PMTU status NSEC3 awareness

31 Outline Motivation Visualizing DNSSEC Future Work

32 Future Work Documentation Visual history of zone for reference, post-mortem analysis Visual representation of server consistency RESTful interface for queries

33 Questions?